Access Token Authentication

Overview

VersionOne Access Tokens provide a secure and streamlined approach for authenticating with the VersionOne API. They are more secure than Basic Authentication. Access Tokens can be used for API access no matter what authentication method your VersionOne instance is configured to use, including SAML SSO.

Key advantages of using VersionOne Access Tokens include:

Easy to create and revoke

Managed by the member that created them and administrators

Simple to pass in the authorization header of an HTTP request

Never expire or have to be refreshed

Works with all types of VersionOne authentication configurations including Basic (username and password), Windows Integrated Authentication (NTLM), and SAML SSO

Creating Access Tokens

Applications that access the VersionOne API using Access Tokens must be created as an application within VersionOne. Applications may be created in the following ways:

Members: Members can create Personal applications in the Member Applications page, or through the API using the Application asset.

Once a Public or Personal application has been created, administrators and members can then create a grant for those applications using the Access Token authentication type. The grant allows an application to operate on the member's behalf with the same Roles and Project Memberships that are assigned to that member.

While applications may be created through the API, grants may not. You must use the VersionOne user interface to create grants for applications.

Using Access Tokens

Once an Access Token has been created, you can use that Access Token for all calls to the VersionOne API. Access Tokens are passed as "Bearer" tokens in the Authorization header of a HTTP request. Unlike when making a request using Basic Authentication, Access Tokens do not require any special type of encoding since they have already been encoded.

Here's an example of how to use an Access Token in the Authorization header of a HTTP request: